Jump to content

Recommended Posts

Posted

Hi all.

My account was moved to Plesk. Right now my main site is hosted on a VPS and its nameservers are managed by Cloudflare.

I am getting emails from Plesk stating that it failed to secure my domains with Let's Encrypt. I don't know if this is due to my Let's Encrypt certificates are managed by Cloudflare. What would be better, let Cloudflare continue to manage the Let's Encrypt certificates or have Plesk manage them? Which settings should I move in either case?

I have the following domains:

  • infantex.com.mx (main)
  • infantex.mx (alias for infantex.com.mx)
  • zaldivar.mx (add-on domain?)

Please note that both infantex.com.mx and zaldivar.mx's DNSs are managed by Cloudflare, infantex.mx's not.

Also infantex.com.mx website is currently in a Heliohost VPS. 

zaldivar.mx has no website, only email services and is also managed by the VPS (via HestiaCP).

infantex.com.mx mail is managed by a free G Suite Legacy account... which I will need to change since Google will discontinue that service this month.

Thanks in advance for your help.

Regards,

  • Replies 30
  • Created
  • Last Reply

Top Posters In This Topic

Posted

There's many different ways to configure things that will work, but what I recommend is:

Use a hosts file to make your browser think that your domains are hosted on 65.19.141.77 (Plesk), and then make sure all your domains are working correctly on Plesk. With the hosts file only your computer will think the domain is on Plesk, and the rest of the world will continue getting your website from the VPS.

Then when everything is working correctly on Plesk log in to Cloudflare and change the A record from 65.19.141.197 to 65.19.141.77. This will make everyone's computers go to Plesk when they go to your domain. I recommend continuing to use Cloudflare for now because the DNS connection in Plesk isn't fully working yet so if you switch to our nameservers an admin will have to make changes for you. If you continue to use Cloudflare you can make the changes yourself and save us some work. If you're using Cloudflare's DNS you can use their SSL too.

For mail you'll want to make an MX record in Cloudflare pointed to 65.19.141.77 if you want the emails to go to Plesk. You'll need to copy/paste the DKIM that Plesk provides and the SPF value mentioning Plesk's IP into Cloudflare to make your email sending work though because you'll have terrible spam scores without them. Let us know if you need help with any of that.

Posted

OK. I added the line:

65.19.141.77 infantex.com.mx

into my host file. In fact, it's the only uncommented line in the file.

After doing this, when I tried to access infantex.com.mx, I received a NET::ERR_CERT_AUTHORITY_INVALID error. Suggested solutions included using incognito mode (didn't work) and temporarily turning off the antivirus (still received the error but got the option to load the page anyway). It loaded but with a warning: The address bar shows: "Not safe" and "https" appears in red and strikethrough.

I guess that's due to the Let's Encrypt certificates not being issued by Plesk. How do I get the certificates from Cloudflare to Plesk and how can I automate it (I understand Cloudflare is renewing the Let's Encrypt certificates every three months).

Regards,

Posted

You can only issue SSL if you change the A record. The whole point of the hosts file is to test your site before you transfer the A record over. If you don't want to test your site first you can just skip the hosts file entirely and edit the A record.

Posted

OK. The site seemed to be working fine when I made the test with the edited hosts file. The only issue being the safety warnings. So, I went ahead and changed the A record on Cloudflare. All seems to be working fine. I'll check again tomorrow to let the DNS change propagate.

I'll look into zaldivar.mx's email next.

  • 2 weeks later...
Posted

I had some time to try and setup zaldivar.mx's email in Plesk.

I tried to log into HestiaCP to check the mailboxes' user names, aliases, etc. But got both and unsecure server error and a internal server one (500):

image.thumb.png.af6ead9eb7fd2c77f1b6c95fb68d88ce.png

How can I fix this?

Regards,

Posted

It looks like Hestia locked up, and couldn't restart. I logged in to your VPS and ran the commands

sudo kill 285478
sudo systemctl restart hestia

Your login page on port 8083 appears to be working now. Let us know if you have any other issues.

  • 2 weeks later...
Posted

I couldn't configure the email for zaldivar.mx.

Here're the DNS records in Cloudflare:

image.png.f4ba726ac4fdc6a989e13b3091b743ce.png

I copied the DKIM and default._domainkey records from Plesk into Cloudflare. Also, the SPF record includes only Plesk's IP (65.19.141.77).

I can login using the web interface (webmail.zaldivar.mx) and I verified I could receive mail into one of the accounts (jorge@zaldivar.mx). But I cannot retreive such mail using POP. I use the following settings:

Username: jorge@zaldivar.mx
POP server: zaldivar.mx
Port: Tried both 110 and 995
Always use SSL: Tried both Yes and No

For the port and SSL options I tried the four combinations (110/no SSL, 995/SSL, 110/SSL and 995/no SSL).

The error I get is "connection timed out".

What am I doing wrong?

Also, the only options available for SSL/TSL certificate for mail (and webmail) are "Not selected". How can I enable SSL for email?

Regards,

 

Posted

Cloudflare is the problem. When your mail client tries to connect to SMTP or IMAP it's looking at the A record for zaldivar.mx and it gets 172.67.139.59 and 104.21.79.5, and then it tries to connect to port 995 or 465 or whatever on those Cloudflare servers and it times out. There's a few easy ways to fix it.

I recommend just typing tommy2.heliohost.org into your mail client rather than zaldivar.mx. That's the easiest way to make it work.

The other option if you really need to hide the server that you're on is you could create a subdomain like smtp.zalivar.mx and imap.zaldivar.mx or mail.zaldivar.mx or whatever and have Cloudflare give 65.19.141.77 as the A record.

The third option is to switch to ns1.heliohost.org and ns2.heliohost.org instead of using Cloudflare, but then you would have to make a support request each time you needed your DNS changed. Eventually we will implement the ability to edit DNS records on your own.

Posted (edited)

Thanks, Krydos.

I opted to create a mail.zaldivar.mx A record pointed to 65.19.141.77 as per your second suggestion... When doing that, I second guessed and thought: "How is this different to using plain zaldivar.mx as the POP server, which is also an A record pointed to the same IP?" But since that was your recommendation, I went ahead, added the record and, additionally, disabled Cloudflare's proxy service for that record (perhaps the IPs you detected were the proxy's?).

Anyways, it worked (at least for POP, I'll check SMTP later). However, I couldn't get a secure connection: I had to disable "Always use SSL" and change to port 110. Since I would like to have secure connections, I changed the POP server to tommy2.heliohost.org, but got the exact same results: 

  • Using SSL and port 995: Unable to make a secure connection (I'm translating, the actual message is in Spanish)
  • Using no SSL and port 995: Connection timed out
  • Using no SSL and port 110: Works

How can I enable SSL for mail in Plesk? As a reminder, I get my Let's Encrypt certificates from Cloudflare.

Regards,

Update: I was unable to set a secure SMTP configuration, same results using mail.zaldivar.mx or tommy2.heliohost.org as SMTP servers:

  • Secure connection using TSL and port 587: Unable to connect to server.
  • Secure connection using TSL and port 25: Authentication failed, bad username or password.
  • Secure connection using TSL and port 465: Unable to connect to server.
  • Secure connection using SSL and port 587: Unable to connect to server.
  • Secure connection using SSL and port 465: Authentication failed.
  • Secure connection using SSL and port 25: Unable to connect to server.
  • Unsecure connection and port 25: Success.

 

Edited by infantex
Added SMTP configuration results
Posted

Not being able to connect to IMAP, and SMTP on the tommy2.heliohost.org domain was my fault. Apparently the server was using a self-signed certificate. I set up email with a real SSL certificate and now it should work.

SMTP host: tommy2.heliohost.org
SMTP port: 465
SMTP SSL/TLS: on
IMAP host: tommy2.heliohost.org
IMAP port: 993
IMAP SSL/TLS: on

Posted

Great! Thank you, Krydos.

I was now able to set up secure connections both for POP and SMTP.

I did have to use tommy2.heliohost.org as server, though. Using my domain resulted in errors (mail.zaldivar.mx not in tommy2.heliohost.org SAN list or something like that for POP, and zaldivar.mx does not match server name for SMTP).

Also, I used port 995 for POP because I received an error when trying to use 993. Just so you know.

Is there a way not to have to use tommy2 as server? For the zaldivar.mx domain is not an issue, but I'll have to tranfer the emails for infantex.com.mx to Plesk from G Suite Legacy, since they're terminating it... Although, that may not be an issue either. I mean, the mail servers are currently Google's, not Infantex's, anyway. So knowing whether it would be possible not to use tommy2 as server will be just a matter of curiosity.

Regards,

Posted
21 minutes ago, infantex said:

I used port 995 for POP because I received an error when trying to use 993.

993 is IMAP. I prefer IMAP because you get your emails quicker.

21 minutes ago, infantex said:

Is there a way not to have to use tommy2 as server?

Yeah, use ns1.heliohost.org and ns2.heliohost.org or turn off proxying in Cloudflare.

Posted
2 hours ago, Krydos said:

993 is IMAP. I prefer IMAP because you get your emails quicker.

I'm using GMail and it doesn't support using IMAP to read emails from other accounts. I kind of remember that many years ago IMAP was supported, doesn't seem to be the case any longer, so POP will do.

2 hours ago, Krydos said:

Yeah, use ns1.heliohost.org and ns2.heliohost.org or turn off proxying in Cloudflare.

I think you refer to using them as DNS, in which case, you'd have to change them yourselves in case of need, so it'd not be practical. If you refer to using one of them in place of tommy2.heliohost.org as email servers (I don't really think you mean that), there'd be really no point.

As for turning off proxying in Cloudflare, I'd already tried that and it didn't work. I got errors because the certificate was for a different domain (tommy2.heliohost.org instead of mail.zaldivar.mx). 

But, no problem, everything seems to be working fine with tommy2 as email server.

One problem I do have, kind of related to email, is that I have a contact form (https://infantex.com.mx/contacto.php) that's supposed to send email to contacto@infantex.com.mx and it's not been working since I moved back from the VPS to Tommy. I get no errors but neither receive any emails (I already checked the spam folder and they're no there either). Any suggestions as to how can I start to look into this erroneous behavior?

Regards,

Posted

Here's the log for your contact form.

Jul 14 02:38:20 tommy2 plesk-sendmail[48064]: S48062: py-limit-out: stderr: INFO:__main__:Setting 'X-PPP-Vhost' header to 'infantex.com.mx'
Jul 14 02:38:20 tommy2 plesk-sendmail[48064]: S48062: py-limit-out: stderr: PASS
Jul 14 02:38:21 tommy2 plesk-sendmail[48064]: S48062: check-quota: stderr: SKIP
Jul 14 02:38:21 tommy2 postfix/pickup[44550]: 23602401FAEE: uid=10183 from=<infantx@infantex.com.mx>
Jul 14 02:38:21 tommy2 postfix/cleanup[45317]: 23602401FAEE: message-id=<1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx>
Jul 14 02:38:21 tommy2 postfix/qmgr[28715]: 23602401FAEE: from=<infantx@infantex.com.mx>, size=2985, nrcpt=1 (queue active)
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: from=<infantx@infantex.com.mx>, to=<infantx@infantex.com.mx>, dirname=/var/qmail/mailnames
Jul 14 02:38:21 tommy2 spamd[9978]: spamd: connection from localhost.localdomain [::1]:40948 to port 783, fd 6
Jul 14 02:38:21 tommy2 spamd[9978]: spamd: using default config for infantx@infantex.com.mx: /var/qmail/mailnames/infantex.com.mx/infantx/.spamassassin/user_prefs
Jul 14 02:38:21 tommy2 spamd[9978]: spamd: processing message <1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx> for infantx@infantex.com.mx:30
Jul 14 02:38:21 tommy2 spamd[9978]: spamd: clean message (0.2/7.0) for infantx@infantex.com.mx:30 in 0.4 seconds, 3064 bytes.
Jul 14 02:38:21 tommy2 spamd[9978]: spamd: result: . 0 - HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,NO_RELAYS,T_SCC_BODY_TEXT_LINE scantime=0.4,size=3064,user=infantx@infantex.com.mx,uid=30,required_score=7.0,rhost=localhost.localdomain,raddr=::1,rport=40948,mid=<1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx>,autolearn=no autolearn_force=no
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: spam: stderr: PASS
Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS
Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results
Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS
Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results
Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS
Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results
Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: DMARC: smtpdomain=infantex.com.mx maildomain=thankyou.com mailfrom=no@thankyou.com stamp=1657766301 ip=unknown adkim=relaxed aspf=relaxed p=REJECT sp=UNSPECIFIED pct=100 align_dkim=fail align_spf=fail spfres=unknown dkimres=unknown dmarccheck=DMARC_POLICY_REJECT dmarcstatus=STOP
Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dmarc: stderr: STOP
Jul 14 02:38:21 tommy2 postfix-local[48103]: message discarded by a mail handler
Jul 14 02:38:21 tommy2 postfix/pipe[47528]: 23602401FAEE: to=<infantx@infantex.com.mx>, orig_to=<info@infantex.com.mx>, relay=plesk_virtual, delay=0.69, delays=0.06/0.01/0/0.62, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul 14 02:38:21 tommy2 postfix/qmgr[28715]: 23602401FAEE: removed

Your SPF is "v=spf1 include:_spf.google.com ~all" which doesn't include 65.19.141.77, so since Tommy isn't authorized to send emails the message is discarded. You can fix this by allowing Tommy to send emails for your domain.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...